Bloquear MSN no Iptables ou Squid e liberar para IP's ou Usuarios

1. Bloquear MSN no Iptables ou Squid e liberar para IP's ou Usuarios

felipepetitto
(usa Outra)

Enviado em 04/08/2012 - 17:00h

Boa tarde,

Estou tendo problemas ao configurar meu firewall para bloquear todos de entrarem no MSN com exceção dos usuários e/ou IP's que eu colocar.
No caso não estou conseguindo nem bloquear a entrada do MSN por isso não criei a regra de IP's liberados.

Por favor, me ajudem! Preciso desse firewall rodando na segunda-feira e é só o que resta pra ser feito.

Segue abaixo os confs do Squid e Firewall:

FIREWALL:

#!/bin/sh
#Configuracao de Variaveis.
IPT=/sbin/iptables
NET=eth0
REDE=eth1

echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
fi

#Ativando syn cookies protecao no kernel
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]
then
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
fi

#Setando o kernel para dinamico IP masquerado
if [ -e /proc/sys/net/ipv4/ip_dynaddr ]
then
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
fi

#Flushing all e criando chains.

$IPT -F
$IPT -F -t nat
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -t mangle -F
$IPT -t nat -F
$IPT -X

modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_tables
modprobe sch_htb

$IPT --flush
$IPT --table nat --flush
$IPT --table mangle --flush
$IPT --table filter --flush
$IPT --delete-chain
$IPT --table nat --delete-chain
$IPT --table mangle --delete-chain
$IPT --table filter --delete-chain

#Bloqueaia tudo
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

$IPT -A FORWARD -p tcp -m tcp ! --syn -m state --state NEW -j DROP

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT

$IPT -N TRINOO
$IPT -A TRINOO -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: trinoo: "
$IPT -A TRINOO -j DROP
$IPT -A INPUT -p TCP -i $NET --dport 27444 -j TRINOO
$IPT -A INPUT -p TCP -i $NET --dport 27665 -j TRINOO
$IPT -A INPUT -p TCP -i $NET --dport 31335 -j TRINOO
$IPT -A INPUT -p TCP -i $NET --dport 34555 -j TRINOO
$IPT -A INPUT -p TCP -i $NET --dport 35555 -j TRINOO

$IPT -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

$IPT -N TROJAN
$IPT -A TROJAN -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: trojan: "
$IPT -A TROJAN -j DROP
$IPT -A INPUT -p TCP -i $NET --dport 666 -j TROJAN
$IPT -A INPUT -p TCP -i $NET --dport 666 -j TROJAN
$IPT -A INPUT -p TCP -i $NET --dport 4000 -j TROJAN
$IPT -A INPUT -p TCP -i $NET --dport 6000 -j TROJAN
$IPT -A INPUT -p TCP -i $NET --dport 6006 -j TROJAN
$IPT -A INPUT -p TCP -i $NET --dport 16660 -j TROJAN

$IPT -A FORWARD -p tcp --dport 1214 -j REJECT
$IPT -A FORWARD -p udp --dport 1214 -j REJECT
$IPT -A FORWARD -d 213.248.112.0/24 -j REJECT
$IPT -A FORWARD -d 206.142.53.0/24 -j REJECT
$IPT -A FORWARD -p tcp --syn -m limit --limit 2/s -j ACCEPT
$IPT -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
$IPT -N SCANNER

# Capturando o IP da Internet
ipnet=$1
ipnet=`ifconfig $NET| grep addr:| cut -f2 -d:| cut -f1 -d " "`
echo $ipnet

# Liberando as PORTAS
INTERNAS="5222,5223,22,3128,9090,10000,80,139,445"
EXTERNAS="22,10000"

$IPT -A INPUT -p tcp -m multiport --dport $INTERNAS -i $REDE -j ACCEPT
$IPT -A INPUT -p udp -m multiport --dport $INTERNAS -i $REDE -j ACCEPT

#Para IP especifico: $IPT -A INPUT -p tcp --dport 22 -i $REDE -j ACCEPT -s 10.10.0.1

$IPT -A INPUT -p tcp -m multiport --dport $EXTERNAS -i $NET -j ACCEPT
$IPT -A INPUT -p udp -m multiport --dport $EXTERNAS -i $NET -j ACCEPT

#Liberar um IP - LIBERAR UM IP NO FIREWALL (AD, SERVIDORES, DIRETORIA)
$IPT -t nat -A PREROUTING -i $REDE -p tcp -s 192.168.0.16 -j RETURN

# Desvios do SISTEMA
$IPT -t nat -A PREROUTING -i $REDE -p tcp --dport 80 -j REDIRECT --to-port 3128

# Desvios Externos
$IPT -t nat -A PREROUTING -d $ipnet -p tcp --dport 3389 -j DNAT --to-destination 192.168.0.16
$IPT -t nat -A PREROUTING -d $ipnet -p udp --dport 3389 -j DNAT --to-destination 192.168.0.16

$IPT -t nat -A PREROUTING -d $ipnet -p tcp --dport 10000 -j DNAT --to-destination 192.168.0.50
$IPT -t nat -A PREROUTING -d $ipnet -p udp --dport 10000 -j DNAT --to-destination 192.168.0.50

# Compartilha a Internet
$IPT -t nat -A POSTROUTING -o $NET -j MASQUERADE
$IPT -A FORWARD -i $NET -j ACCEPT

SQUID:

acl all src all
acl manager proto cache_object
acl localhost src 192.168.0.0/24
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32

############################### Autenticacao via passwd ##########################
access_log /var/log/squid/access.log squid
#auth_param basic children 5
#auth_param basic realm Squid proxy-caching web server
#auth_param basic credentialsttl 2 hours
#auth_param basic casesensitive off
#auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
#auth_param basic realm Digite seu Login
#acl autenticacao proxy_auth REQUERID
###################################################################################

############################## Autenticacao via AD ###############################
auth_param basic program /usr/lib/squid/ldap_auth -R -b "dc=************,dc=com,dc=br" -D "cn=Linux,cn=Users,dc=**********,dc=com,dc=br" -w "******" -f sAMAccountName=%s -h 192.168.0.16
auth_param basic realm Acesso Controlado
auth_param basic children 5
auth_param basic credentialsttl 400 minutes
acl password proxy_auth REQUIRED
##################################################################################

#################################### ACLS #########################################
acl dld urlpath_regex -i "/ikd/squid/dld"
acl padrao url_regex -i "/ikd/squid/padrao"
acl blnivel1 url_regex -i "/ikd/squid/blnivel1"
acl blnivel2 url_regex -i "/ikd/squid/blnivel2"
acl liberados url_regex -i "/ikd/squid/liberados"
acl ipliberado src "/ikd/squid/ipliberado"
external_acl_type checa_diretoria %LOGIN /ikd/squid/diretoria.sh
acl diretoria external checa_diretoria "/ikd/squid/diretoria"

external_acl_type checa_n1 %LOGIN /ikd/squid/n1.sh
acl nivel1 external checa_n1 "/ikd/squid/nivel1"

external_acl_type checa_n2 %LOGIN /ikd/squid/n2.sh
acl nivel2 external checa_n2 "/ikd/squid/nivel2"

###################################################################################

##################################### teste apagar ############################
external_acl_type passa_url %URI /ikd/squid/videos.sh
acl videos external passa_url "/ikd/squid/videos"

##############################################################################
#portas confiáveis de sites

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#####################################
http_access deny padrao
http_access allow diretoria
http_access allow ipliberado
http_access allow videos
http_access deny dld
http_access deny blnivel1 !liberados
http_access allow nivel1
http_access deny blnivel2 !liberados
http_access allow nivel2

#####################################
http_access allow localhost
http_port 3128 transparent

coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
error_directory /usr/share/squid/errors/Portuguese

Obrigado!
Felipe

0 0

Quote